# Cipher Suite Practices and Pitfalls

Updated Jun 06, 2023

Version 3.0 Cipher Suite Practices and Pitfalls
It seems like every time you turn around there is a new vulnerability to deal with, and some of them, such as Sweet32, have required altering cipher configurati...

Updated Jun 06, 2023

Version 3.0Was this article helpful?

adam88

Sep 09, 2018Cirrus

Oh wow, this is such a fantastic article. I was actually attempting to block protocols using the cipher string, definitely changing my approach now.

One of my LTMs runs BIG-IP v11.4.1 and on this I wanted to purely use ECDHE key exchange with only TLS1.2. I was thinking that I would use ECDHE+AES then use the Options list to block TLS1, TLS1.1, DTLS, SSLv2 and SSLv3.

`tmm --clientciphers 'ECDHE+AES'`

```
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
1: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
2: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
5: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
```

And to see what happens when I disable TLS1 and TLS1.1:

`tmm --clientciphers 'ECDHE+AES:!TLSv1:!TLSv1_1'`

```
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
1: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
```

I noticed that I could also do:

`tmm --clientciphers 'ECDHE+AES+TLSv1_2'`

```
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
1: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
```

Is this a good idea to add +TLSv1_2 to the string? I can't see any pitfalls to this but I'm not super experienced with cipher strings.